FW: [rc5] 56 bits seem to be enough

Fedor Kouranov ted99 at ibm.net
Wed Jun 4 22:10:31 EDT 1997

OK, let's get some things straight. ;-)

On 06/04/97 David Christensen <dchrist at home.com> said:

>I have a tendency to agree with you that 56 bits seems pretty good today. 

Not if we take PGP-1024 for 'pretty good'. And the most important: PGP-1024
will remain pretty good tomorrow, xxx-56 won't.

>Of course, you shouldn't forget Grove's law.  CPU's will double in power 
>18 months.  A task that will take 5.5 years today may only take 2.75 years
> with
>the next generation of CPUs.  If Grove's law holds, 6 years from now the 
>1014 systems could crack the code in 4 months.

By then they will be twice as fast and twice as cheap and everybody will be
more concerned with cracking sensitive information. 56 bit is, um,
marginally secure *right now*, but after a year or two it will be as good
as postcards. Let's say that your adversary's computing power quadruples
each year. If it's feasible to crack 56 bit in 1997, then 64 bit will fail
in 2001 - you can add 2 bits per year. Thus, 128 bits is likely to hold *at
least* until 2033, unless it's cracked or a quantum computer is built. Will
anyone need your message then? That's what I call secure.

>Therefore, if we want to adopt some sort of standard encryption method to 
>global, secure commerce, we should select one that will be secure for more
> than
>just a few years.

Essentially, we need variable-key-length methods, such as RSA (public key)
and RC5 (conventional). Then it will be safe to use, say, 10Kbit keys in

>It would seem the stats are holding at around 5.5 years to complete the 56
> bit RSA crack. The whole point of the exercise was to prove to the 
>government that 56 bit keys are not sufficient, and given the huge amount 
>of distributed computing power already involved I'm of the opinion that 
>instead you've managed to prove the opposite.

If you're in doubt, check the DESCHALL page - they expect to be done within
10 to 20 weeks. Our effort is, as pointed out at the homepage, a group of
amateurs. Think NSA doing 1 Tkey/s. ;-)

>What I wonder is if there is a better method of finding the key than 
>exhaustive search-and that the government knows of this method and is 
>keeping it secret. If they can do that what hope do we have, other than to
> create custom encryption methods for each task?

For the RSA, the cracking work is simply factoring out the secret key from
the public one. There are 'fast' methods for this, but for several years to
come 2048 bit RSA is bulletproof. RC5 (as well as PGP's IDEA) are
relatively new algorithms, DES is an oldie, but we have not heard of a
successful cryptanalytic attack on them. That is, all you have is

RTFM the FAQ at RSA's page before continuing this thread.

 /** Christ Is Risen ! *** __+__ ******  Fedor "Ted" Kouranov  *****/
 /* Xristos Voskrese ! **   \|    ** ted99 at ibm.net * fedor at bu.edu **/
 /** Xristos Anesti ! ****   |\  ** http://enz.siobc.ras.ru/~fedor */

To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.

More information about the rc5 mailing list